Gerard, > On 22 May 2018, at 14:32, Gerhard Mourani <[email protected]> wrote: > > Simone, > > There is no so much configuration available on the Meraki device to setup > Netflow. Only, enable it, define IP of the collector and port > (https://documentation.meraki.com/MX-Z/Monitoring_and_Reporting/NetFlow_Overview > > <https://documentation.meraki.com/MX-Z/Monitoring_and_Reporting/NetFlow_Overview>).
Please, generate a pcap of what nprobe is getting on port 6343 and upload it somewhere for our inspection. The command is the following (let it run for a minute): tcpdump -i any port 6343 -s 0 -w port6343.pcap > > According to the Cisco documentation, Meraki use Netflow v9 but ntopng report > that sFlow is received and returned to the Meraki device ! Note that typically port 6343 (the one you're using with nprobe) is used by sFlow exporters. So maybe there's some other exporter and you are collecting its traffic rather than the one of meraki? > Also, if I'm correct here, nProbe use Netflow to send to ntopng, so how can > Netflow v9 to Netflow collector (nProbe) to ntopng become sFlow ? > > Gerhard, > > >> On May 20, 2018, at 3:59 AM, Simone Mainardi <[email protected] >> <mailto:[email protected]>> wrote: >> >> Gerhard, >> >> So that looks more like a Meraki configuration issue. It seems that the >> Meraki is doing sFlow on its own generated sFlow traffic. Basically it sends >> sFlow packets, then the sFlow process samples sFlow packets and, in turn, it >> triggers the generation of additional sFlow packets and so on. This >> 'amplification' also explain why you are seeing a huge amount of 100% sent >> sFlow traffic. Please check that config. >> >> Simone >> >>> On 17 May 2018, at 15:10, Gerhard Mourani <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> Yes >>> >>>> On May 17, 2018, at 9:03 AM, Simone Mainardi <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> >>>>> >>>>> On 17 May 2018, at 14:30, Gerhard Mourani <[email protected] >>>>> <mailto:[email protected]>> wrote: >>>>> >>>>> Hi Simone, >>>>> >>>>> Here the ntopng and nNrobe configuration used. >>>>> >>>>> Ntopng: >>>>> --interface eth0 >>>>> --interface tcp://127.0.0.1:5556 <tcp://127.0.0.1:5556> >>>>> --local-networks 172.22.9.0/24,192.168.0.0/16,172.22.0.0/16,10.0.0.0/8 >>>>> --daemon >>>>> --user ntopng >>>>> --pid /var/run/ntopng/ntopng.pid >>>>> --http-port 0 >>>>> --https-port :3001 >>>>> --data-dir /var/lib/nst/ntopng >>>>> --dns-mode 1 >>>>> --disable-autologout >>>>> --disable-login 0 >>>>> --sticky-hosts none >>>>> --http-prefix /ntopng >>>>> --ndpi-protocols /etc/ntopng/protos.txt >>>>> >>>>> nProbe: >>>>> /usr/local/bin/nprobe -i none -n none --zmq tcp://*:5556 <tcp://*:5556> >>>>> -b 2 -3 6343 --online-license-check >>>>> --as-list=/usr/share/ntopng/httpdocs/geoip/GeoIPASNum.dat >>>>> --city-list=/usr/share/ntopng/httpdocs/geoip/GeoLiteCity.dat -G >>>>> --pid-file /var/run/nprobe/nprobe.pid -V 9 --disable-cache >>>>> --zmq-disable-buffering >>>>> >>>>> I don't know if I can attach pictures to this message to explain what I >>>>> mean by saying that my collector ntopng return sflow to the remote Meraki >>>>> device. >>>>> >>>>> Traffic from my collector IP is almost 100% sent and when I check the >>>>> Protocol detail, it show that it's sFlow (Sent 100%) to my remote Meraki >>>>> device under the Peers tab! >>>> >>>> Are you sure you have selected interface tcp://127.0.0.1:5556 >>>> <tcp://127.0.0.1:5556> from the ntopng interfaces dropdown menu? >>>> >>>>> >>>>> Gerhard, >>>>> >>>>> >>>>>> On May 17, 2018, at 3:53 AM, Simone Mainardi <[email protected] >>>>>> <mailto:[email protected]>> wrote: >>>>>> >>>>>> Gerhard, >>>>>> >>>>>> Can you enclose nProbe and ntopng configurations used as well as an >>>>>> example of what you mean with 'my collector return the flow to the >>>>>> Meraki device'? >>>>>> >>>>>> Thank you >>>>>> >>>>>>> On 16 May 2018, at 19:59, Gerhard Mourani <[email protected] >>>>>>> <mailto:[email protected]>> wrote: >>>>>>> >>>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> I've activated Netflow v9 on Cisco Meraki and receive flow on nProbe (v >>>>>>> 8.2.171206-5975) correctly. The problem is that my collector (ntopng v >>>>>>> 3.2) return the flow to the Meraki device and I don't understand why? >>>>>>> This generate lot of data in our case ~1TB per hour for sflow!. >>>>>>> >>>>>>> Regards, >>>>>>> _______________________________________________ >>>>>>> Ntop mailing list >>>>>>> [email protected] <mailto:[email protected]> >>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>>>>> <http://listgateway.unipi.it/mailman/listinfo/ntop> >>>>>> >>>>>> _______________________________________________ >>>>>> Ntop mailing list >>>>>> [email protected] <mailto:[email protected]> >>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>>>> <http://listgateway.unipi.it/mailman/listinfo/ntop> >>>>> >>>>> _______________________________________________ >>>>> Ntop mailing list >>>>> [email protected] <mailto:[email protected]> >>>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>>> <http://listgateway.unipi.it/mailman/listinfo/ntop> >>>> >>>> _______________________________________________ >>>> Ntop mailing list >>>> [email protected] <mailto:[email protected]> >>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>> <http://listgateway.unipi.it/mailman/listinfo/ntop> >>> _______________________________________________ >>> Ntop mailing list >>> [email protected] <mailto:[email protected]> >>> http://listgateway.unipi.it/mailman/listinfo/ntop >>> <http://listgateway.unipi.it/mailman/listinfo/ntop> >> _______________________________________________ >> Ntop mailing list >> [email protected] <mailto:[email protected]> >> http://listgateway.unipi.it/mailman/listinfo/ntop > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
